Bug 2296053 (CVE-2024-7631)

Summary: CVE-2024-7631 openshift-console: OpenShift Console: Path traversal
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asdas, bmontgom, dpaolell, eparis, jburrell, jdelft, jupierce, lgarciaa, mbiarnes, nstielau, security-response-team, sidsharm, sponnaga, talessio, vlaad, ximhan, yuxzhu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint's lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath construction, an authenticated user can manipulate the path to retrieve any JSON files on the console's pod by using sequences of ../ and valid directory paths.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marco Benatto 2024-07-05 21:05:30 UTC 
Path traversal is a vulnerability that allows an attacker to read arbitrary files and directories that are stored outside of the intended files to distribute. This might include sensitive files like secrets, configuration files as well as sensitive operating system files (like /etc/passwd). 
The OpenShift Console has an endpoint for plugins to serve resources in multiple languages: /locales/resources.json The lng and ns parameters for this endpoint are used to unsafely construct a filepath in pkg/plugins/handlers.go#L112 Because of this unsafe filepath construction, an authenticated user can manipulate the path to retrieve any JSON files on the console's pod by using sequences of ../ and valid directory paths.

Impact:
Because of the affected endpoint's logic, only files with the .json extension can be accessed, limiting greatly the impact of this vulnerability. No security-impactful JSON files could be identified on the console's pod.